Weekly Solaris Security Digest
2001/06/03 to 2001/06/10

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html
Subscribe to get FREE security news, commentary, and articles.

 

New Solaris Vulnerabilities this Week

Yet another exploit to gain 'mail' privileges:

/usr/bin/mail $HOME Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2819

Severity: a user with a local account may gain mail privileges.
Workaround: chmod -s /usr/bin/mail

Vulnerabilities this Week — Third-party Applications:

Bugtraq Database:

2001-06-05: BestCrypt Arbitrary Privileged Program Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2820

2001-06-03: WebTrends Reporting Server Script Source Code Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2812

2001-06-02: Qualcomm qpopper Username Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2811

2001-05-31: Horde Imp Message Attachment Symbolic Link Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2805

2001-05-31: Acme.Serve v1.7 Arbitrary File Access Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2809

 

Bugtraq List:

SSH allows deletion of other users 'cookie' files.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0322.html

You can delete any file on the filesystem you want... as long as its called cookies. Not really a very useful bug, but could cause annoyances to people who actually like their cookies.


Solaris vulnerabilities pending

Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.

mailtool buffer overflow in $OPENWINHOME

Status: Sun Bug ID: 4458476. No patch is available yet. Severity: a user with a local account may gain mail privileges.

Workarounds: remove the sgid bit, "chmod -s /usr/openwin/bin/mailtool". Note: I've not tested for side-effects, not has there been a relevant discussion on bugtraq. Presumably the effects are similar to those for mailx, see below.
http://www.securityfocus.com/bid/2787
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html

rpc.yppasswdd buffer overflow

Status: remote root exploit, Solaris 2.6, 7 and 8. An active exploit called 'metaray' is available. To check if this daemon is active, try "ps -ef | grep yppasswd". After being exploited, a root shell may be running on tcp/77 (rje) and a process "/usr/sbin/inetd -s z" running.

Workarounds: disable YP/NIS, use NIS+ which is more secure. Disable 'yppasswdd' until patches are available (it is started in /usr/lib/netsvc/yp/ypstart). Or control access to this service by installing the Sunscreen-lite (or other local) firewall. Side effect: If users cannot access this daemon, they will not be able to change their NIS passwords.
http://www.securityfocus.com/bid/2763
http://www.incidents.org/news/yppassword.php  

mailx -F buffer Overflow

Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.

Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however, with locally delivered email.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/bid/2610

Xsun HOME buffer overflow vulnerability

Status: Local SUID exploit.

Workaround: Remove the SUID permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addressed this issue.
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://www.securityfocus.com/bid/2561

SNMP to DMI mapper daemon

Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).

Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for: "Bug id: 4404944 libssasnmp changes the syslog message format"


kcsSUNWIOsolf.so KCMS_PROFILES environment variable

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf


kcms_configure vulnerability

Status: Local SUID exploit of command line options, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html
http://www.securityfocus.com/bid/2605


CDE dtsession LANG environment variable

Status: Local SUID exploit, no patches yet. Exploit available for Solaris x86.

Workaround: On servers not requiring a GUI, the SUID can be removed. Side effects: on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/bid/2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession


ftpd #1 globbing buffer overflows/core dump shadow password recovery

Status: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.

Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601


ftpd #2 CWD Username Enumeration

Status: Remote exploit, low impact (allows an attacker to recognize valid usernames).

Workaround: None, monitor your ftp servers.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://www.securityfocus.com/bid/2564


NTP buffer overflow

Status: Serious remote exploit, no patches yet.

Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540


ipcs Timezone buffer overflow vulnerability

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://www.securityfocus.com/bid/2581


Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
     
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, Jun/01/01:

Solaris 2.6, Jun/01/01:

Solaris 7, Jun/01/01:    

Solaris 8, Jun/01/01:

Solaris 8_x86, Jun/01/01:

2. New or updated individual security/recommended patches.

105210-38 SunOS 5.6: libaio, libc & watchmalloc patch
105338-27 CDE 1.2: dtmail patch
105633-53 OpenWindows 3.6: Xsun patch

107684-02 SunOS 5.7: sendmail patch
107709-12 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend

108528-08 SunOS 5.8: kernel update patch
108875-09 SunOS 5.8: c2audit patch
108991-12 SunOS 5.8: libc and watchmalloc patch
109041-04 SunOS 5.8: sockfs patch
109234-02 * SunOS 5.8: Apache/mod_jserv patch
109279-13 SunOS 5.8: /kernel/drv/ip patch
109322-07 SunOS 5.8: libnsl patch
110387-03 SunOS 5.8: ufssnapshots support, ufsdump patch
110458-02 SunOS 5.8: libcurses patch
110943-01 SunOS 5.8: /usr/bin/tcsh patch

108529-08 SunOS 5.8_x86: kernel update patch
108992-12 * SunOS 5.8_x86: libc and watchmalloc patch
109042-04 SunOS 5.8_x86: sockfs patch
110402-03 SunOS 5.8_x86: ufsdump patch
110459-02 SunOS 5.8_x86: libcurses patch
110616-01 * SunOS 5.8_x86: sendmail patch
110899-02 SunOS 5.8_x86: csh/pfcsh patch
110944-01 SunOS 5.8_x86: /usr/bin/tcsh patch


News & Articles

CERT

CERT/CC Current Activity
http://www.cert.org/current/current_activity.html

The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC.
- sadmind/IIS Worm
- Scans and Probes
Comment: I'm seeing the same activity as CERT, perhaps you should check up your systems too? See also the Tip of the Week section below.

Daemonnews

Web Security: Apache and mod_ssl Part II Paul Weinstein
http://www.daemonnews.org/200106/ssl_apache_pt2.html

In this article we'll cover the most popular open source method; Adding mod_ssl to Apache.


A Read-Only Server on a Bootable CD - Marshall Midden
http://www.daemonnews.org/200106/bootable_CD.html

The author describes the process for creating a customized bootable CD for both the FreeBSD and OpenBSD operating systems. The CD can then be used to run a secure server that can't be modified.

BSD Today

OpenBSD drops IPfilter program in licensing dispute
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO61038,00.html
http://www.bsdtoday.com/2001/June/Features495.html
http://www.newsforge.com/article.pl?sid=01/06/06/169245&mode=thread

UltraLinux

Opera has released of version of their browser compiled for Linux under SPARC processors. There are versions dynamically and statically linked with Qt.
http://www.opera.com/download/

LinuxSecurity


Sun

A list of sysadmin tools, categorized.
http://www.ensta.fr/internet/unix/sys_admin/

Security-Focus

The Trouble With Tripwire: Making a Valuable Security Tool More Efficient - Edward R. Arnold
http://www.securityfocus.com/frames/?focus=sun&content=/focus/sun/articles/tripwire.html

Mailing Lists

Focus-Sun Discussions Threads


YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week:

Security Tools

Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools this week include MindTerm SSH, TCTUTILs and BIND.
Auditing and Intrusion Monitoring tools include SnortPlot, Nmap, SAINT, NEAT, NANS, Chkrootkit, PIKT, LIDS, Samhain and 3 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, FloppyFw, IPfilter, PacketPlot
and 2 other tools.
Tools for Linux/Unix/Cross Platform include Secure FTP, OpenCL and RSX.
Tools for Windows include AntiVir Personal Edition and Mailscanner for Postfix.

Note: The new Mindterm is good, the new 'scp' GUI works well. I have problems with umlauts on Swiss-German keyboards though.

Tip of the Week: Detecting the sadmind/IIS worm

I recently had to scan a few networks to check for the existance of Sun servers which had been compromised by the above worm. More details on the worm are available on CERT. The approach used and scripts are documented here, as they may be of use to readers auditing their systems.

  1. Scan all systems on the listed networks for an open port 600 (since the worm leaves a backdoor on this port), using the following script wrapper around the 'nmap' tool.
    #!/bin/sh
# /root/sean/nmap_port
# Sean Boran, 16.Jun.01

port="600";
user="root";
ignore="^Port|filtered|^$|seconds to scan|Initiating"

f=$0.$$;
cmd="/usr/local/bin/nmap -P0 -sS -p $port";

for target in 176.17.16.0/24 176.17.17.0/24; do
  date > $f
  echo "$cmd $target" >> $f 2>&1
  $cmd $target |egrep -v "$ignore"  >> $f 2>&1 
  date >> $f
  mailx -s "Port $port scan $target" $user  <$f # empty file for next scan: #cat $f
  mv $f $f.done
done
  2. Scan all systems on the listed networks for an RPC service 100232, using a script wrapper around the 'rpcinfo' tool. If a system running sadmind is found it will output a message like:

    Checking 193.5.227.50
    RPC program 100232 is running!
    program 100232 version 10 ready and waiting

    #!/bin/sh
# sadmin_scan
#                                        Sean Boran, 7.Jun.01

result1=$0.$$

for network in 176.17.16 176.17.17; do

  host=1;
  while [ "$host" -lt "255" ] ; do
    echo "Checking $network.$host"

    rpcinfo -u "$network.$host" 100232 > $result1 2>&1
    if [ $? = 0 ] ; then
      echo "RPC program 100232 is running! "
      cat $result1
    fi

    host=`expr $host \+ 1;`
  done
done

A copy of the above scripts can be found on: www.boran.com/security/sp/solaris.

If you have tips you'd like to share with others, contact us.

References and Resources

All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Receive this digest by email!